{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/picklescan/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71373"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.33"],"_cs_severities":["high"],"_cs_tags":["vulnerability","rce","picklescan","python","deserialization"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eCVE-2025-71373 details a critical vulnerability affecting \u003ccode\u003epicklescan\u003c/code\u003e versions before 0.0.33, a tool designed to validate the safety of Python pickle files. This flaw allows remote attackers to circumvent the security mechanisms by embedding \u003ccode\u003eoperator.methodcaller\u003c/code\u003e function calls within crafted pickle files. \u003ccode\u003epicklescan\u003c/code\u003e fails to detect these specific calls, mistakenly deeming the malicious files as safe. Consequently, any system that processes these specially crafted pickle files and relies on the vulnerable \u003ccode\u003epicklescan\u003c/code\u003e for validation will execute the embedded arbitrary code upon loading the file, leading to full system compromise. This vulnerability carries a CVSS v3.1 base score of 8.1 (High), highlighting its severe impact and ease of exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Python pickle file containing arbitrary code embedded within \u003ccode\u003eoperator.methodcaller\u003c/code\u003e function calls.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this malicious pickle file to a target system, potentially via email, file upload functionality, or as part of a data exchange.\u003c/li\u003e\n\u003cli\u003eThe target system, which is configured to process Python pickle files, receives the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe system invokes \u003ccode\u003epicklescan\u003c/code\u003e (version prior to 0.0.33) to validate the safety and integrity of the incoming pickle file.\u003c/li\u003e\n\u003cli\u003eDuring validation, \u003ccode\u003epicklescan\u003c/code\u003e fails to correctly identify and flag the \u003ccode\u003eoperator.methodcaller\u003c/code\u003e function calls as malicious, allowing the bypass of its security checks.\u003c/li\u003e\n\u003cli\u003eThe target application, erroneously assuming the pickle file is safe based on \u003ccode\u003epicklescan\u003c/code\u003e's flawed validation, proceeds to load the file into memory.\u003c/li\u003e\n\u003cli\u003eUpon loading, the arbitrary code embedded within the \u003ccode\u003eoperator.methodcaller\u003c/code\u003e context is executed on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution, leading to system compromise, which can involve data exfiltration, further persistence, or other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71373 grants remote attackers arbitrary code execution capabilities on affected systems. Organizations utilizing \u003ccode\u003epicklescan\u003c/code\u003e for validating pickle files, particularly in data processing pipelines or applications handling untrusted serialized Python objects, are at risk. This could lead to complete compromise of the affected servers or workstations, potentially resulting in data breaches, installation of malware, or disruption of critical services. The CVSS score of 8.1 reflects the high severity, indicating that an unauthenticated attacker can achieve high confidentiality and integrity impact with low attack complexity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.33 or later to patch CVE-2025-71373.\u003c/li\u003e\n\u003cli\u003eEnsure all applications handling Python pickle files validate their source and integrity rigorously, even when using security scanners.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization for all external inputs, especially those that might involve deserialization of data, to prevent malicious pickle files from being processed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:29:27Z","date_published":"2026-07-04T02:29:27Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71373-picklescan-bypass/","summary":"Remote attackers can bypass security checks in `picklescan` versions prior to 0.0.33 by crafting malicious pickle payloads utilizing `operator.methodcaller` function calls, which upon loading by systems relying on `picklescan` for validation, results in arbitrary code execution and system compromise.","title":"CVE-2025-71373: Picklescan Bypass via `operator.methodcaller` Leads to Arbitrary Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71373-picklescan-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71369"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.28"],"_cs_severities":["high"],"_cs_tags":["python","deserialization","rce","vulnerability","supply-chain","machine-learning"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eCVE-2025-71369 addresses a critical flaw in \u003ccode\u003epicklescan\u003c/code\u003e versions released before 0.0.28, a tool designed to detect malicious Python pickle files. This vulnerability permits remote attackers to craft specially designed pickle files that leverage \u003ccode\u003etorch.utils.data.datapipes.utils.decoder.basichandlers\u003c/code\u003e within their \u003ccode\u003e__reduce__\u003c/code\u003e methods. The \u003ccode\u003epicklescan\u003c/code\u003e library, when tasked with scanning such files, fails to identify the embedded malicious code, effectively bypassing its intended security checks. Consequently, when an affected application or system subsequently deserializes these \u0026quot;undetected\u0026quot; malicious pickle files, the embedded code is executed, leading to remote code execution (RCE). This poses a significant supply chain risk, as data scientists or ML engineers using vulnerable \u003ccode\u003epicklescan\u003c/code\u003e versions could inadvertently process compromised data, granting attackers control over their environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Python pickle file by embedding arbitrary code within the \u003ccode\u003e__reduce__\u003c/code\u003e method, specifically utilizing \u003ccode\u003etorch.utils.data.datapipes.utils.decoder.basichandlers\u003c/code\u003e to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes this malicious pickle file, potentially through compromised data repositories, malicious PyPI packages, or by sending it directly to a target.\u003c/li\u003e\n\u003cli\u003eA victim organization or individual downloads and stores the seemingly benign pickle file, potentially as part of a dataset or machine learning model.\u003c/li\u003e\n\u003cli\u003eThe victim's environment, which integrates a vulnerable version of \u003ccode\u003epicklescan\u003c/code\u003e (prior to 0.0.28), processes or scans the downloaded pickle file.\u003c/li\u003e\n\u003cli\u003eDue to CVE-2025-71369, \u003ccode\u003epicklescan\u003c/code\u003e fails to identify the malicious payload within the pickle file, allowing it to be treated as legitimate.\u003c/li\u003e\n\u003cli\u003eA Python application or framework within the victim's environment attempts to deserialize the \u0026quot;clean\u0026quot; pickle file.\u003c/li\u003e\n\u003cli\u003eDuring the deserialization process, the malicious code embedded via the \u003ccode\u003e__reduce__\u003c/code\u003e method is executed by the Python interpreter.\u003c/li\u003e\n\u003cli\u003eThis execution leads to remote code execution (RCE), granting the attacker unauthorized control over the system where deserialization occurred, potentially allowing for data exfiltration, further compromise, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2025-71369 can lead to severe consequences, as remote code execution (RCE) grants attackers full control over the compromised system. This can result in unauthorized access to sensitive data, installation of backdoors, deployment of ransomware, or the use of the compromised system as a pivot point for further network penetration. Given the nature of pickle files in data science and machine learning workflows, this vulnerability presents a significant supply chain risk, potentially affecting numerous organizations that exchange or process such data. The CVSS v3.1 Base Score of 8.1 (High) underscores the critical nature of this flaw, highlighting the ease of exploitation and high impact on confidentiality and integrity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.28 or later to remediate CVE-2025-71369, which contains the fix for this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all pickle files processed by your applications, especially those originating from untrusted or external sources.\u003c/li\u003e\n\u003cli\u003eReview existing practices for handling and deserializing pickle files; avoid deserializing untrusted data whenever possible.\u003c/li\u003e\n\u003cli\u003eEnsure that any systems processing pickle files operate with the principle of least privilege to minimize the potential impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:27:56Z","date_published":"2026-07-04T02:27:56Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71369-picklescan-rce-bypass/","summary":"A critical vulnerability, CVE-2025-71369, in `picklescan` versions prior to 0.0.28 allows remote attackers to bypass safety checks for malicious Python pickle files that utilize specific `torch.utils.data.datapipes` methods, enabling undetected embedded malicious code to execute during deserialization, which results in remote code execution (RCE) on the victim's system.","title":"CVE-2025-71369: Picklescan Malicious Pickle Detection Bypass Leading to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71369-picklescan-rce-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71367"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.34"],"_cs_severities":["high"],"_cs_tags":["deserialization","vulnerability","python","pickle","rce"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2025-71367, has been identified in \u003ccode\u003epicklescan\u003c/code\u003e versions prior to 0.0.34. This security flaw stems from \u003ccode\u003epicklescan\u003c/code\u003e's inability to properly detect the use of \u003ccode\u003e_operator.attrgetter\u003c/code\u003e function calls when they are embedded within \u003ccode\u003epickle\u003c/code\u003e payloads' \u003ccode\u003ereduce\u003c/code\u003e methods. This oversight allows remote attackers to effectively bypass \u003ccode\u003epicklescan\u003c/code\u003e's intended security checks, designed to prevent malicious deserialization. By crafting a specially designed \u003ccode\u003epickle\u003c/code\u003e file that leverages this bypass, an attacker can achieve arbitrary code execution on systems that deserialize these files using \u003ccode\u003epickle.load()\u003c/code\u003e while relying on the vulnerable \u003ccode\u003epicklescan\u003c/code\u003e version for security. This vulnerability exposes affected applications to severe compromise, including full system control and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Python \u003ccode\u003epickle\u003c/code\u003e file containing carefully constructed bytecode.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003epickle\u003c/code\u003e payload specifically utilizes the \u003ccode\u003e_operator.attrgetter\u003c/code\u003e function within \u003ccode\u003ereduce\u003c/code\u003e methods to invoke arbitrary code.\u003c/li\u003e\n\u003cli\u003eThis specific structure is designed to evade the security detection mechanisms implemented in \u003ccode\u003epicklescan\u003c/code\u003e versions before 0.0.34.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this crafted \u003ccode\u003epickle\u003c/code\u003e file to a victim system, potentially via email attachments, compromised package repositories, or malicious downloads.\u003c/li\u003e\n\u003cli\u003eA vulnerable application on the victim system attempts to deserialize the malicious \u003ccode\u003epickle\u003c/code\u003e file using Python's \u003ccode\u003epickle.load()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDuring the deserialization process, the integrated \u003ccode\u003epicklescan\u003c/code\u003e library (version \u0026lt; 0.0.34) fails to identify the embedded, malicious \u003ccode\u003e_operator.attrgetter\u003c/code\u003e calls as a threat.\u003c/li\u003e\n\u003cli\u003eDue to \u003ccode\u003epicklescan\u003c/code\u003e's detection bypass, the deserialization process proceeds unchecked, leading to the execution of the arbitrary code defined within the malicious \u003ccode\u003epickle\u003c/code\u003e payload.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully achieves arbitrary code execution on the victim system, potentially leading to system compromise, data theft, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71367 can lead to severe consequences for organizations utilizing \u003ccode\u003epicklescan\u003c/code\u003e versions before 0.0.34. Since the vulnerability allows for arbitrary code execution, attackers can gain full control over the compromised system, leading to unauthorized data access, modification, or destruction. This could result in significant data breaches, operational disruption, and reputational damage. While specific victim counts are not available, any system processing untrusted \u003ccode\u003epickle\u003c/code\u003e files with vulnerable \u003ccode\u003epicklescan\u003c/code\u003e versions is at risk, particularly those in data science, machine learning, or software development pipelines where \u003ccode\u003epickle\u003c/code\u003e is frequently used for object serialization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.34 or higher to remediate CVE-2025-71367.\u003c/li\u003e\n\u003cli\u003eEnsure all applications and services that handle \u003ccode\u003epickle\u003c/code\u003e files are using the patched \u003ccode\u003epicklescan\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eImplement secure deserialization practices, avoiding \u003ccode\u003epickle.load()\u003c/code\u003e of untrusted data even with security scanning, as illustrated by CVE-2025-71367.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:27:18Z","date_published":"2026-07-04T02:27:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71367-picklescan/","summary":"Picklescan versions prior to 0.0.34 contain a deserialization vulnerability (CVE-2025-71367) that allows remote attackers to bypass security checks by crafting malicious pickle files using `_operator.attrgetter` in reduce methods, leading to arbitrary code execution when `pickle.load()` processes the file.","title":"CVE-2025-71367: Picklescan Bypass Leading to Arbitrary Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71367-picklescan/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71366"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.28"],"_cs_severities":["high"],"_cs_tags":["cve","vulnerability","deserialization","python","picklescan"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eA significant deserialization vulnerability, tracked as CVE-2025-71366, has been identified in \u003ccode\u003epicklescan\u003c/code\u003e versions predating 0.0.28. This flaw allows malicious actors to craft Python pickle files that include specific \u003ccode\u003etorch.utils.bottleneck.__main__.run_cprofile\u003c/code\u003e function calls. Critically, the \u003ccode\u003epicklescan\u003c/code\u003e library, designed to detect and prevent malicious code execution from untrusted pickle files, fails to properly identify these embedded calls. This bypass of security checks enables remote attackers to inject and execute arbitrary code. When a victim's system loads such a specially crafted and undetected malicious pickle file, the embedded code executes with the privileges of the application processing the file, leading to potential system compromise and data loss. This vulnerability is highly impactful due to the widespread use of pickle files in Python ecosystems for data serialization and the security trust placed in \u003ccode\u003epicklescan\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Python pickle file containing a serialized object that leverages \u003ccode\u003etorch.utils.bottleneck.__main__.run_cprofile\u003c/code\u003e to embed arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures the payload is specifically designed to bypass the detection mechanisms implemented in \u003ccode\u003epicklescan\u003c/code\u003e versions older than 0.0.28.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the crafted malicious pickle file to a target system, potentially through untrusted data ingestion, shared repositories, or direct download.\u003c/li\u003e\n\u003cli\u003eA user or an automated process on the victim's system initiates the loading of the malicious pickle file using a Python application that integrates with the vulnerable \u003ccode\u003epicklescan\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eDuring the scanning process, the vulnerable \u003ccode\u003epicklescan\u003c/code\u003e library (version \u0026lt; 0.0.28) fails to detect the malicious \u003ccode\u003etorch.utils.bottleneck.__main__.run_cprofile\u003c/code\u003e call due to the inherent deserialization vulnerability.\u003c/li\u003e\n\u003cli\u003eUpon deserialization of the undetected malicious pickle file, the embedded arbitrary code is executed on the victim's system, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71366 results in arbitrary code execution on the victim's system, allowing attackers to take full control of the compromised machine. This can lead to unauthorized data access, modification, or exfiltration; installation of malware such as ransomware or backdoors; and further lateral movement within the network. While specific victim counts or targeted sectors are not provided in the source, any organization or individual processing untrusted pickle files with vulnerable versions of \u003ccode\u003epicklescan\u003c/code\u003e could be at risk, especially those in data science, machine learning, or research environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2025-71366 immediately\u003c/strong\u003e by upgrading \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.28 or later to address the deserialization vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement strict validation and sandboxing for all incoming pickle files, especially those from untrusted sources, even after patching, as a defense-in-depth measure against similar deserialization flaws.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:26:41Z","date_published":"2026-07-04T02:26:41Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71366-picklescan-deserialization/","summary":"A critical deserialization vulnerability (CVE-2025-71366) exists in picklescan versions prior to 0.0.28, allowing remote attackers to bypass safety checks by embedding malicious `torch.utils.bottleneck.__main__.run_cprofile` function calls in pickle files, leading to arbitrary code execution when victims load the crafted files.","title":"CVE-2025-71366: Picklescan Deserialization Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71366-picklescan-deserialization/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71362"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan (\u003c 0.0.33)"],"_cs_severities":["high"],"_cs_tags":["cve","deserialization","python","arbitrary-code-execution","vulnerability","picklescan"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2025-71362, has been identified in \u003ccode\u003epicklescan\u003c/code\u003e versions prior to 0.0.33. This issue stems from \u003ccode\u003epicklescan\u003c/code\u003e's failure to adequately detect unsafe deserialization patterns within \u003ccode\u003enumpy.f2py.crackfortran\u003c/code\u003e functions. Specifically, when these functions process data, they may call \u003ccode\u003eeval\u003c/code\u003e on arbitrary strings derived from pickle files, creating an arbitrary code execution vector. Attackers can craft malicious pickle files containing embedded code. If these untrusted files are subsequently loaded and processed by a vulnerable \u003ccode\u003epicklescan\u003c/code\u003e instance, the embedded malicious code will execute, granting the attacker control over the compromised system. This vulnerability poses a significant risk to applications and environments that handle or process pickle files from external or untrusted sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: An attacker identifies a target system or application that uses \u003ccode\u003epicklescan\u003c/code\u003e (version \u0026lt; 0.0.33) to process Python pickle files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Pickle File Creation\u003c/strong\u003e: The attacker crafts a specially designed pickle file that contains malicious Python code. This code is structured to exploit the unsafe deserialization flaw in \u003ccode\u003enumpy.f2py.crackfortran\u003c/code\u003e functions, ensuring that when the file is loaded, the \u003ccode\u003eeval\u003c/code\u003e function is called with the attacker's payload.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelivery\u003c/strong\u003e: The attacker delivers the malicious pickle file to the victim. This could be via email (as an attachment), through a compromised web application, or by placing it in a location where the victim's application is expected to load files (e.g., a shared drive, an untrusted repository).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser/Application Interaction\u003c/strong\u003e: The victim's application or user, believing the pickle file to be legitimate or benign, initiates the loading process of the untrusted pickle file using the vulnerable \u003ccode\u003epicklescan\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Deserialization\u003c/strong\u003e: During the deserialization process, the \u003ccode\u003epicklescan\u003c/code\u003e library invokes \u003ccode\u003enumpy.f2py.crackfortran\u003c/code\u003e functions. Due to the CVE-2025-71362 vulnerability, these functions call \u003ccode\u003eeval\u003c/code\u003e on the arbitrary malicious strings embedded within the pickle file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution\u003c/strong\u003e: The \u003ccode\u003eeval\u003c/code\u003e call executes the attacker's embedded malicious code within the context of the vulnerable application, leading to arbitrary code execution on the host system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact on System\u003c/strong\u003e: With arbitrary code execution, the attacker can achieve various objectives, such as data exfiltration, installation of malware, establishment of persistence, or full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2025-71362 allows for arbitrary code execution on the system running the vulnerable \u003ccode\u003epicklescan\u003c/code\u003e instance. This means an attacker could gain full control over the affected system, potentially leading to complete data compromise, installation of ransomware, deployment of backdoors, or lateral movement within the network. While specific victim counts or targeted sectors are not detailed in the NVD advisory, any organization or developer using affected versions of \u003ccode\u003epicklescan\u003c/code\u003e to process untrusted Python pickle files is at risk. The consequences range from data breach and operational disruption to severe reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2025-71362\u003c/strong\u003e: Immediately upgrade \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.33 or later to mitigate CVE-2025-71362.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Input Validation\u003c/strong\u003e: Ensure that all pickle files processed by applications are from trusted sources and implement strict validation before deserialization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIsolate Processing\u003c/strong\u003e: If processing untrusted pickle files is unavoidable, perform the deserialization in a highly isolated environment (e.g., a secure sandbox or virtual machine) to contain potential arbitrary code execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:25:03Z","date_published":"2026-07-04T02:25:03Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71362-picklescan/","summary":"picklescan versions prior to 0.0.33 are vulnerable to unsafe deserialization via CVE-2025-71362, allowing attackers to embed malicious code in pickle files that executes due to `numpy.f2py.crackfortran` calling `eval` on arbitrary strings when loaded from untrusted sources, leading to arbitrary code execution.","title":"CVE-2025-71362 — picklescan before 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functio...","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71362-picklescan/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71360"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.29"],"_cs_severities":["high"],"_cs_tags":["deserialization","rce","vulnerability","python"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eCVE-2025-71360 describes a critical deserialization vulnerability impacting \u003ccode\u003epicklescan\u003c/code\u003e versions prior to 0.0.29, a Python library designed to detect malicious code within Python pickle files. Specifically, the flaw lies in \u003ccode\u003epicklescan\u003c/code\u003e's failure to detect malicious code embedded using the \u003ccode\u003eidlelib.calltip.get_entity\u003c/code\u003e function within pickle reduce methods. This oversight allows attackers to craft specially designed pickle files containing arbitrary Python code that bypasses \u003ccode\u003epicklescan\u003c/code\u003e's security checks. When a victim subsequently loads such a malicious pickle file, the embedded code is executed, enabling remote command execution (RCE) on the affected system. This vulnerability poses a significant risk to applications that process or scan untrusted pickle files, as it effectively nullifies the security benefits \u003ccode\u003epicklescan\u003c/code\u003e is intended to provide.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Python pickle file containing arbitrary code, leveraging the \u003ccode\u003eidlelib.calltip.get_entity\u003c/code\u003e function within the pickle's \u003ccode\u003e__reduce__\u003c/code\u003e method to embed their payload.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes this specially crafted pickle file to a target system, potentially through email attachments, untrusted file downloads, or as part of a compromised data exchange.\u003c/li\u003e\n\u003cli\u003eA victim receives and attempts to process or scan the untrusted pickle file using an affected version of the \u003ccode\u003epicklescan\u003c/code\u003e library (prior to 0.0.29).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epicklescan\u003c/code\u003e library, when performing its security checks, fails to correctly identify and flag the malicious code embedded via \u003ccode\u003eidlelib.calltip.get_entity\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious pickle file is then loaded or deserialized by a Python application or script on the victim's system.\u003c/li\u003e\n\u003cli\u003eDuring the deserialization process, the embedded code within the pickle file executes, leading to arbitrary remote command execution on the victim's system, granting the attacker control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71360 leads to arbitrary remote code execution on the victim's system. This can result in complete system compromise, allowing attackers to install malware, exfiltrate sensitive data, establish persistence, or pivot to other systems within the network. Organizations relying on \u003ccode\u003epicklescan\u003c/code\u003e for validating untrusted data could be unknowingly processing malicious content, leading to widespread compromise. The direct impact is the subversion of a security control, enabling attackers to bypass detection and execute their payloads.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.29 or newer to remediate CVE-2025-71360.\u003c/li\u003e\n\u003cli\u003eImplement strict controls around the handling and loading of Python pickle files, treating all external or untrusted pickle files as potentially malicious.\u003c/li\u003e\n\u003cli\u003eEducate users and developers on the dangers of deserializing untrusted data and the importance of using secure deserialization alternatives or strict validation.\u003c/li\u003e\n\u003cli\u003eConsider deploying application-level sandboxing or isolation for processes that handle pickle file deserialization to limit the impact of potential RCE.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:24:27Z","date_published":"2026-07-04T02:24:27Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71360-picklescan-rce/","summary":"A high-severity deserialization of untrusted data vulnerability (CVE-2025-71360) in picklescan versions before 0.0.29 allows attackers to embed undetected remote command execution code within malicious pickle files, leading to arbitrary code execution when loaded by victims.","title":"CVE-2025-71360: Picklescan RCE via Undetected Malicious Pickle Files","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71360-picklescan-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71356"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.28"],"_cs_severities":["high"],"_cs_tags":["deserialization","python","vulnerability","rce","machine-learning"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eCVE-2025-71356 describes a critical deserialization vulnerability impacting \u003ccode\u003epicklescan\u003c/code\u003e versions before 0.0.28. This vulnerability arises because the library fails to properly detect malicious \u003ccode\u003etorch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression\u003c/code\u003e function calls embedded within Python pickle files. Attackers can leverage this flaw to craft specially designed pickle files that, when loaded by a victim's application utilizing \u003ccode\u003epicklescan\u003c/code\u003e, execute arbitrary code. The issue allows for pre-payload code execution without detection, bypassing the intended security scanning capabilities of \u003ccode\u003epicklescan\u003c/code\u003e. This could allow threat actors to deliver malware, establish persistence, or exfiltrate data through seemingly benign data files, posing a significant risk to machine learning and data science environments that frequently exchange \u003ccode\u003epickle\u003c/code\u003e files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Python \u003ccode\u003epickle\u003c/code\u003e file containing a specially constructed \u003ccode\u003etorch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression\u003c/code\u003e call that includes arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this malicious \u003ccode\u003epickle\u003c/code\u003e file to a target system, potentially via email, compromised data repositories, or untrusted downloads.\u003c/li\u003e\n\u003cli\u003eA Python application on the victim's system attempts to load or process the \u003ccode\u003epickle\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003epicklescan\u003c/code\u003e library is used to scan the file for malicious content, it fails to detect the embedded arbitrary code within the \u003ccode\u003etorch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression\u003c/code\u003e call.\u003c/li\u003e\n\u003cli\u003eDuring the standard Python \u003ccode\u003epickle\u003c/code\u003e deserialization process, the vulnerable \u003ccode\u003eevaluate_guards_expression\u003c/code\u003e call is executed.\u003c/li\u003e\n\u003cli\u003eThe embedded arbitrary code payload is then executed on the victim's system, leading to remote code execution, granting the attacker control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71356 can lead to complete system compromise through remote code execution. Victims, particularly those in data science, machine learning, and AI sectors that frequently handle \u003ccode\u003epickle\u003c/code\u003e files from various sources, are at risk. Attackers could exploit this to deploy ransomware, establish backdoors, steal sensitive intellectual property, or use the compromised system as a pivot point for further network penetration. The undetected nature of the malicious code within the pickle file bypasses security controls, making this a high-impact vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.28 or later immediately to mitigate CVE-2025-71356.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and source verification for all Python \u003ccode\u003epickle\u003c/code\u003e files loaded in your environment, especially those originating from untrusted sources, even after upgrading \u003ccode\u003epicklescan\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview your software supply chain for components that use or process \u003ccode\u003epickle\u003c/code\u003e files to identify and update any vulnerable instances of \u003ccode\u003epicklescan\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:23:01Z","date_published":"2026-07-04T02:23:01Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71356-picklescan-deserialization/","summary":"A critical deserialization vulnerability (CVE-2025-71356) in `picklescan` versions prior to 0.0.28 allows attackers to embed undetected malicious code within Python pickle files, leading to remote code execution when these files are loaded by victims.","title":"CVE-2025-71356: picklescan Deserialization Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71356-picklescan-deserialization/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71347"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.33"],"_cs_severities":["high"],"_cs_tags":["deserialization","python","arbitrary-code-execution","vulnerability","cve","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2025-71347, has been identified in the \u003ccode\u003epicklescan\u003c/code\u003e library prior to version 0.0.33. This flaw specifically impacts the library's ability to detect malicious pickle files that leverage the \u003ccode\u003enumpy.f2py.crackfortran.param_eval\u003c/code\u003e function within their \u003ccode\u003ereduce\u003c/code\u003e methods during deserialization. Remote attackers can exploit this bypass to embed arbitrary code within seemingly legitimate pickle files. When an application loads and deserializes such an untrusted, malicious pickle file, the embedded code executes, granting the attacker arbitrary code execution capabilities. This vulnerability is significant for organizations that process or scan Python pickle files, as it allows sophisticated bypasses of security tooling, potentially leading to system compromise through a trusted deserialization process. The issue stems from inadequate sanitization or detection logic within \u003ccode\u003epicklescan\u003c/code\u003e when encountering specific NumPy functions, highlighting the persistent risk of deserialization vulnerabilities in Python ecosystems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Crafting\u003c/strong\u003e: An attacker crafts a malicious Python pickle file, embedding a call to \u003ccode\u003enumpy.f2py.crackfortran.param_eval\u003c/code\u003e with attacker-controlled arguments within the pickle's \u003ccode\u003ereduce\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelivery\u003c/strong\u003e: The attacker delivers the specially crafted malicious pickle file to a target system. This delivery can occur via various means such as email attachments, file downloads, or through compromised data repositories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Bypass\u003c/strong\u003e: If the target system uses \u003ccode\u003epicklescan\u003c/code\u003e versions prior to 0.0.33 to inspect the file, the vulnerability (CVE-2025-71347) causes \u003ccode\u003epicklescan\u003c/code\u003e to fail to detect the malicious code embedded via \u003ccode\u003enumpy.f2py.crackfortran.param_eval\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution Trigger\u003c/strong\u003e: A vulnerable application on the victim's system, designed to process Python pickle data, attempts to load and deserialize the untrusted, now undetected, malicious pickle file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution\u003c/strong\u003e: During the deserialization process, the embedded \u003ccode\u003enumpy.f2py.crackfortran.param_eval\u003c/code\u003e function is invoked by the Python interpreter, leading to the execution of arbitrary code defined by the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker gains control over the application's process with the privileges of the running application, potentially allowing for data exfiltration, further system compromise, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71347 results in arbitrary code execution, enabling attackers to fully compromise the affected application and potentially the underlying system. This can lead to sensitive data exfiltration, installation of additional malware, privilege escalation, and complete control over the compromised environment. While the NVD advisory does not specify observed victims or targeted sectors, any organization that uses \u003ccode\u003epicklescan\u003c/code\u003e to validate Python pickle files or deserializes untrusted pickle data is at risk of severe impact, including financial loss, operational disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.33 or later immediately to patch CVE-2025-71347.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and deserialization policies to prevent applications from loading untrusted pickle files, even if scanned by older \u003ccode\u003epicklescan\u003c/code\u003e versions.\u003c/li\u003e\n\u003cli\u003eRefer to the advisory links provided in the \u003ccode\u003ereferences\u003c/code\u003e section for more detailed information about CVE-2025-71347 and mitigation strategies.\u003c/li\u003e\n\u003cli\u003eEnsure all applications processing pickle data are isolated in sandboxed environments to minimize the blast radius of potential arbitrary code execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:21:21Z","date_published":"2026-07-04T02:21:21Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71347-picklescan-rce/","summary":"A critical vulnerability (CVE-2025-71347) exists in picklescan prior to version 0.0.33, allowing remote attackers to bypass security checks by failing to detect malicious pickle files leveraging the numpy.f2py.crackfortran.param_eval function, leading to arbitrary code execution upon deserialization of untrusted data.","title":"CVE-2025-71347: Picklescan Bypass Leads to Arbitrary Code Execution via Malicious Pickle Files","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71347-picklescan-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71345"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.30"],"_cs_severities":["high"],"_cs_tags":["remote-code-execution","deserialization","python","machine-learning","vulnerability"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eCVE-2025-71345 identifies a significant vulnerability affecting \u003ccode\u003epicklescan\u003c/code\u003e versions released before 0.0.30. This flaw enables threat actors to craft malicious pickle files containing embedded code that \u003ccode\u003epicklescan\u003c/code\u003e fails to detect, specifically when the code leverages the \u003ccode\u003etorch.utils.bottleneck.__main__.run_autograd_prof\u003c/code\u003e function. By exploiting this oversight, attackers can bypass the intended security scanning mechanisms of \u003ccode\u003epicklescan\u003c/code\u003e and achieve remote code execution (RCE) on systems that deserialize these specially crafted files. This vulnerability presents a high risk as it allows for undetectable arbitrary code execution, undermining the integrity and security of applications relying on \u003ccode\u003epicklescan\u003c/code\u003e for safe deserialization of Python objects, particularly in machine learning environments where pickle files are commonly used for model persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThe provided source describes a vulnerability in \u003ccode\u003epicklescan\u003c/code\u003e's detection capabilities rather than a multi-stage attack chain in the wild. The exploitation scenario primarily involves the delivery and deserialization of a specially crafted malicious file. Therefore, a multi-step attack chain as observed in active campaigns cannot be accurately constructed from this information.\u003c/p\u003e\n\u003cp\u003eHowever, the core exploitation flow is as follows:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker delivers a malicious pickle file to a victim system (e.g., via email, download from an untrusted source, or compromised data pipeline).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion (Bypass \u003ccode\u003epicklescan\u003c/code\u003e)\u003c/strong\u003e: The malicious pickle file is crafted to invoke the \u003ccode\u003etorch.utils.bottleneck.__main__.run_autograd_prof\u003c/code\u003e function, which \u003ccode\u003epicklescan\u003c/code\u003e versions \u0026lt; 0.0.30 fail to identify as malicious.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeserialization\u003c/strong\u003e: The victim application or system attempts to load and deserialize the seemingly benign pickle file, potentially after a failed \u003ccode\u003epicklescan\u003c/code\u003e check.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution\u003c/strong\u003e: During the deserialization process, the embedded malicious code within the pickle file is executed in the context of the application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The executed code performs actions determined by the attacker, such as system compromise, data exfiltration, or further malware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2025-71345 results in unauthenticated remote code execution on systems that process untrusted pickle files with vulnerable versions of \u003ccode\u003epicklescan\u003c/code\u003e. This allows attackers to bypass security measures, gain full control over the affected system, steal sensitive data, deploy ransomware, or establish persistence within the network. The vulnerability has a CVSS v3.1 base score of 8.1 (High), underscoring the severe consequences of exploitation, particularly in environments handling machine learning models or other serialized Python objects where \u003ccode\u003epicklescan\u003c/code\u003e is deployed for security scanning.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2025-71345 immediately\u003c/strong\u003e: Update \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.30 or newer to mitigate the vulnerability and ensure proper detection of malicious pickle files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Secure Deserialization Practices\u003c/strong\u003e: Restrict the deserialization of pickle files from untrusted or unverified sources, as described by CWE-502.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEducate Users\u003c/strong\u003e: Train users and developers about the risks associated with handling untrusted serialized data, including pickle files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:20:22Z","date_published":"2026-07-04T02:20:22Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71345-picklescan-rce/","summary":"CVE-2025-71345 describes a critical vulnerability in `picklescan` versions prior to 0.0.30, where attackers can embed undetected malicious code within pickle files that specifically invoke the `torch.utils.bottleneck.__main__.run_autograd_prof` function, leading to remote code execution upon deserialization by bypassing `picklescan`'s security checks.","title":"CVE-2025-71345: Picklescan Malicious Pickle File Detection Bypass Leading to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71345-picklescan-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71343"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.30"],"_cs_severities":["high"],"_cs_tags":["deserialization","remote-code-execution","python","vulnerability","detection-bypass"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eCVE-2025-71343 describes a critical vulnerability affecting \u003ccode\u003epicklescan\u003c/code\u003e versions prior to 0.0.30. This flaw stems from a detection bypass related to the \u003ccode\u003elib2to3.pgen2.pgen.ParserGenerator.make_label\u003c/code\u003e function within the \u003ccode\u003ereduce\u003c/code\u003e method, which is a key component in parsing Python bytecode. Attackers can leverage this vulnerability to craft highly sophisticated malicious pickle files. These files are specifically designed to contain embedded arbitrary commands but will successfully evade \u003ccode\u003epicklescan\u003c/code\u003e's security checks. When an application on a vulnerable system then uses the standard \u003ccode\u003epickle.load()\u003c/code\u003e function to deserialize one of these malicious files, the embedded commands are executed, resulting in arbitrary code execution. This poses a significant risk to systems that process untrusted pickle files, as the primary defense mechanism (\u003ccode\u003epicklescan\u003c/code\u003e) is rendered ineffective against this specific evasion technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Python pickle file containing arbitrary code, specifically exploiting the \u003ccode\u003elib2to3.pgen2.pgen.ParserGenerator.make_label\u003c/code\u003e function's \u003ccode\u003ereduce\u003c/code\u003e method to bypass \u003ccode\u003epicklescan\u003c/code\u003e's detection.\u003c/li\u003e\n\u003cli\u003eThe malicious pickle file is delivered to a target system, potentially through methods such as email attachments, malicious web downloads, or integration into a compromised software supply chain.\u003c/li\u003e\n\u003cli\u003eAn application or user on the target system processes or scans the received pickle file using \u003ccode\u003epicklescan\u003c/code\u003e version prior to 0.0.30.\u003c/li\u003e\n\u003cli\u003eDue to CVE-2025-71343, \u003ccode\u003epicklescan\u003c/code\u003e fails to identify the embedded malicious payload, incorrectly marking the file as benign.\u003c/li\u003e\n\u003cli\u003eA Python application or script on the target system subsequently loads the \u0026quot;undetected\u0026quot; malicious pickle file using \u003ccode\u003epickle.load()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring the deserialization process, the embedded arbitrary code within the pickle file is executed in the context of the Python application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution on the compromised system, potentially leading to full system compromise, data exfiltration, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2025-71343 allows an attacker to achieve arbitrary code execution on systems that process untrusted pickle files using vulnerable versions of \u003ccode\u003epicklescan\u003c/code\u003e. This can lead to complete system compromise, unauthorized access to sensitive data, installation of malware, or disruption of services. While no specific victim counts are provided, any organization or individual processing Python pickle files in environments where \u003ccode\u003epicklescan\u003c/code\u003e is used for security vetting (especially in data science, machine learning, or software development contexts) is at risk. The undetected nature of the attack makes it particularly dangerous, as security tools designed to prevent such threats are bypassed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.30 or later immediately to patch CVE-2025-71343 and address the detection bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement strict controls on the ingestion and processing of untrusted pickle files, regardless of \u003ccode\u003epicklescan\u003c/code\u003e's output, especially from external or unverified sources.\u003c/li\u003e\n\u003cli\u003eEducate users and developers about the risks associated with deserializing untrusted data, specifically in the context of Python pickle files, to prevent arbitrary code execution (CWE-502).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:19:30Z","date_published":"2026-07-04T02:19:30Z","id":"https://feed.craftedsignal.io/briefs/2026-07-picklescan-detection-bypass/","summary":"A deserialization vulnerability, CVE-2025-71343, in picklescan before version 0.0.30 allows attackers to craft malicious pickle files that evade detection and lead to arbitrary code execution when loaded via `pickle.load()`.","title":"CVE-2025-71343 — picklescan Detection Bypass via Malicious Pickle Files","url":"https://feed.craftedsignal.io/briefs/2026-07-picklescan-detection-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71342"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.30"],"_cs_severities":["high"],"_cs_tags":["vulnerability","rce","supply-chain","python","pickle","pytorch"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eCVE-2025-71342 identifies a significant vulnerability within \u003ccode\u003epicklescan\u003c/code\u003e versions prior to 0.0.30, a Python library designed to scan pickle files for malicious content. The flaw stems from \u003ccode\u003epicklescan\u003c/code\u003e's inability to adequately detect embedded malicious code when attackers specifically use \u003ccode\u003eidlelib.run.Executive.runcode\u003c/code\u003e within the reduce methods of a Python pickle file. This oversight allows threat actors to craft seemingly benign pickle files that, upon deserialization using \u003ccode\u003epickle.load\u003c/code\u003e, will execute arbitrary code. The vulnerability poses a severe risk, particularly for environments handling untrusted pickle files, such as those involving machine learning models (e.g., PyTorch models). Successful exploitation can lead to remote code execution (RCE) on the target system and facilitate widespread supply chain attacks by injecting malicious logic into widely distributed models or data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a specially designed Python pickle file containing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe malicious code is embedded within the pickle file's reduce methods, specifically leveraging \u003ccode\u003eidlelib.run.Executive.runcode\u003c/code\u003e to obscure its true intent.\u003c/li\u003e\n\u003cli\u003eThe attacker then distributes this malicious pickle file, potentially by injecting it into a software supply chain (e.g., a shared machine learning model repository).\u003c/li\u003e\n\u003cli\u003eA victim system or application, such as a PyTorch model loader, downloads or receives the compromised pickle file.\u003c/li\u003e\n\u003cli\u003eThe application attempts to deserialize the pickle file using Python's \u003ccode\u003epickle.load()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDuring the deserialization process, \u003ccode\u003epicklescan\u003c/code\u003e (if present and vulnerable, i.e., version \u0026lt; 0.0.30) fails to identify the \u003ccode\u003eidlelib.run.Executive.runcode\u003c/code\u003e as a malicious primitive.\u003c/li\u003e\n\u003cli\u003eThe embedded arbitrary code within the pickle file's reduce methods is consequently executed by the Python interpreter on the victim's system.\u003c/li\u003e\n\u003cli\u003eThis results in remote code execution (RCE), allowing the attacker to compromise the host system and potentially exfiltrate data or establish persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2025-71342 carries severe consequences, primarily remote code execution (RCE) with a CVSS v3.1 base score of 8.1 (High severity). This vulnerability can lead to complete compromise of the affected system's confidentiality and integrity, as attackers gain the ability to execute arbitrary commands. The primary risk lies in supply chain attacks, where malicious pickle files can be distributed through legitimate channels, infecting numerous downstream users. PyTorch models, often distributed as pickle files, are particularly vulnerable, meaning that compromised models could propagate malware to researchers, developers, and production systems globally, leading to widespread data theft, system sabotage, or further network penetration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.30 or later to remediate CVE-2025-71342.\u003c/li\u003e\n\u003cli\u003eImplement strict validation and sandboxing for deserialization of Python pickle files, especially those from untrusted or external sources.\u003c/li\u003e\n\u003cli\u003eEducate development teams on the risks associated with deserializing untrusted data, specifically in the context of CVE-2025-71342 and \u003ccode\u003epickle.load\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview existing practices for handling and loading machine learning models (e.g., PyTorch models) to ensure only verified and scanned pickle files are processed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:18:42Z","date_published":"2026-07-04T02:18:42Z","id":"https://feed.craftedsignal.io/briefs/2026-07-picklescan-rce/","summary":"A critical vulnerability (CVE-2025-71342) exists in picklescan versions prior to 0.0.30, where it fails to detect malicious code embedded in Python pickle files by leveraging `idlelib.run.Executive.runcode` in reduce methods, allowing attackers to conceal and execute arbitrary code during `pickle.load` operations, leading to remote code execution (RCE) and potential supply chain attacks, particularly impacting PyTorch models.","title":"CVE-2025-71342: picklescan Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-picklescan-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Picklescan","version":"https://jsonfeed.org/version/1.1"}